Purpose of Knowledge Article:
A guide to how to install the Google Authenticator on your mobile device and set up an MFA token in the Google Authenticator app.
| Warning |
|---|
If you use Google Authenticator on your personal or Lab-issued mobile device, Lab policy requires that the device must be configured to use a lock screen (PIN, pattern, fingerprint, etc.). |
Resolution:
| Note |
|---|
These instructions must be followed on a computer so that the mobile device can be used to scan a barcode off of the computer's monitor. Try using Google Chrome in Incognito window mode or Firefox in Private window mode if you are having some trouble. |
| Deck of Cards |
|---|
| id | Install Google Authenticator |
|---|
| tabLocation | left |
|---|
|
| Card |
|---|
| label | Install Google Authenticator and add MFA token on Android |
|---|
|
|
What is Token management/Authentication?
Security tokens are another method to authenticate the user to LBL's network. It provides an added level of security against unauthorized access. Token management will be used for those devices that use Active Directory, which includes Window-based machines and mobile phones.
What is the New Token Solution?
To better protect LBL's assets and intellectual property, we have continued to use a hardware and software approach to credential security. Hackers sometimes use keyloggers or packet sniffers to read a person's username and password. A proven way to protect against such attacks (but not guaranteed) is to use dynamic One-Time Passwords. Our implementation will be to continue to use software (Google Authenticator) and hardware (YubiKey) solutions.
What is Google Authenticator?
Google Authenticator is an software app that must be installed on your local device, typically your phone that can generate the OTP needed to log into LBL's systems. The token is valid for 30 seconds. A countdown timer is shown that can help you determine the expiration time. Should it expire, a new token is automatically generated, and this token is what should be used when you log in.
Image Removed
What is a YubiKey?
YubiKey is a hardware, OTP token generator that can also save a user's credentials. It is manufactured by Yubico and used by Facebook and Google. First, insert the YubiKey into a USB port on your computer before logging in. You may need to wait for the YubiKey to install the correct device drivers on first-use.To use this key during login into LBL's systems, enter your LBL username and password, and the YubiKey will insert the OTP into the appropriate field once you tap the gold contact. Then hit return. The "YubiKey 4" hard key is small (2" x 0.75") and can be carried on a key ring. The "YubiKey 4 Nano" is meant to be inserted into a computer's USB port. Each YubiKey is issued to a specific LBL user and registered by the IT department. You must know where your YubiKey because it is assigned specifically to you. Should you lose this device, you must report it to IT immediately.
Image Removed
What if I forget my YubiKey at home?
You can use Google Authenticator to log in instead.
What if I lose my YubiKey?
| | Instructions | View |
|---|
| 1 | You will need to report the loss to IT Help Desk at x4357 or online, and wait for a new YubiKey to be assigned to you. | |
| 2 | Go to the OTP Homepage, and click on "Lost (disable)" for that specfic YubiKey. | Image Removed |
| 3 | Click "Disable" to permanently disable the hard key. | Image Removed
|
How Do I Register My Devices for OTP?
| Deck of Cards |
|---|
|
| Card |
|---|
| default | true |
|---|
| id | YubiKey |
|---|
| label | YubiKey |
|---|
| title | YubiKey |
|---|
| | | Instructions | View |
|---|
| 1 | Go to the OTP Token Management webpage. Click the "Berkeley Lab login" button. | Image Removed | | 2 | If your YubiKey is registered, you will see it listed on your OTP Homepage as "BerkeleyLabKey (Yubikey)". | Image Removed | | 3 | In your first-use, insert your key into a USB slot on your computer. The required device drivers will automatically install. | Image Removed | | 4 | OPTIONAL: You may resync your YubiKey by clicking on the "Resync" link. You will need your YubiKey handy. | Image Removed | | 5 | Insert the YubiKey into your computer, and while the cursor is on the "One-Time Password 1" field, tap the gold, circular "Y" symbol on the top of the YubiKey 4. A tap on the metal will generate an OTP key and auto-populate the field. Then, move the cursor to the second field, "One-Time Password 2" and press the gold, circular "Y" symbol on the top of the YubiKey 4. You will see an OTP key auto-populate the field. Note, if you are using the YubiKey 4 Nano, then press the rounded front of the key protruding from the USB port instead of pressing the gold, circular "Y". Then, click "Resync". | Image Removed | | 6 | OPTIONAL: On the OTP homepage, you may verify if the OTP is working by clicking on the "Test" link below your device's nickname. | Image Removed | | 7 | With the YubiKey in the USB port, press on the YubiKey's gold, circular "Y" symbol or the rounded front-end to generate the OTP. Click "Test Now". If it is successful, you will see the message, SUCCESS! You can test again or click "Done". | Image Removed |
|
| Card |
|---|
| id | Google Authenticator |
|---|
| label | Google Authenticator |
|---|
| title | Google Authenticator |
|---|
| | | Instructions | View |
|---|
| 1 | Go to the OTP Token Management webpage. Click the "Berkeley Lab login" button. | Image Removed | 2 | | 1 | On your mobile device, find the Google Authenticator application in the Google Play Store. Install and open the app.
| | | 2 | On your mobile device, tap "Begin setup". | Image Added
| | 3 | On your mobile device, tap "Scan a barcode" and leave it here and go to your computer. | Tip |
|---|
If you are missing a "Barcode Scanner", the app will prompt you to install a suggested app. Tap "Install" to install. After installation has completed, click "Scan a barcode" once more on Google Authenticator. |
| Image Added
| | 4 | On your computer, go to https://identity.lbl.gov/mfa to add a token and create a barcode. You must generate a barcode at the above link to continue installation. This step must be done on a computer, as you will need to scan the barcode with your mobile device. |
Click the "Add an LBL token" link. |
Image Removed
| Image Added | 3 authorization method by which you can receive an authorization code. | The choices areSelect either: - Email: <personal email address on record>
- SMS (text message): <personal phone number on record>
|
For this example, the SMS (text messaging) is used. Click the "Start" button to receive a text or email with the authorization code. | Image Added
| | 4b | Type the authorization code you received in your email or mobile device |
Image Removed | | 4 | Here is the text message with the Authorization Code sent to your mobile device. | Image Removed | 5 | Type the Authorization code into the "Enter Authorization Code" field on the computer and give the registered device a meaningful nickname in the "Token Name" field. We recommend including the month, year, and model to easily identify the device. Example: Jay's iPhone 11, August 2020 Click "Add Token." Note, there is a time limit that you must complete this step by. If time has expired, "Cancel" and retrieve a re-issued token. | Image Modified
| 6 2-D barcode QR code on the computer screen that you must scan with Google Authenticator on your mobile device. | If you have not done so, install the "Google Authenticator" app from the Google Play Store. Image Removed | | 7 | To install the Google Authenticator app, please go to the Google Play Store on your phone. (This image is from a Samsung Galaxy 6S Android phone) | Image Removed | | 8 | Find the Google Authenticator application and install it. Then open the app. | Image Removed | | 9 | Tap "Begin setup". | Image Removed | | 10 | Then, tap "Scan a barcode" or "Enter provided key". In our example, we will scan a barcode. | Image Removed | | 11 | Google Authenticator will check if you have a barcode scanner installed. If a barcode scanner is missing, the app will prompt you to install a suggested app. | Image Removed | | 12 | Tap "Install" to the suggested ZXing's "Barcode Scanner" app. Your device may select another suitable barcode scanner (which would also be sufficient). After installation has completed, close the app. | Image Removed | | 13 | Run the Google Authenticator by choosing the "Authenticator" icon on your device's icon gallery. Tap "Scan a barcode", which is where you left off earlier. | Image Removed | | 14 | Aim your phone's camera at the 2-D barcode on the browser when the barcode scanner runs inside of Google Authenticator. You may need to slowly adjust the distance and angle of your phone to allow the camera to auto-focus and capture the barcode image. You will only have ONE CHANCE to scan this code. | Image Removed | | 15 | If the barcode scan is successful, you will see the 6-digit OTP (One-Time-Password) on your device. This code is valid for 30-seconds only. You must enter the token when you log in with your username and password. If you happen to take longer than 30 seconds, then use the most current auto-generated OTP. Note that there is a 30-second timer on screen. | Image Removed | | Note |
|---|
You only have ONE CHANCE to scan this code. Do not close this window until you have successfully scanned the code. |
| no image | | 5 | If the barcode scan is successful, you will see the 6-digit OTP (One-Time-Password) on your mobile device. This code is valid for 30-seconds only. As the time limit approaches, you may see the code turn red. If you cannot enter it immediately, then wait a few seconds until the next code appears. Once you scanned the code, click on I have scan the code next to the QR code
| Image Added
|
|
| Card |
|---|
| label | Install Google Authenticator and add MFA token on iOS Device |
|---|
| Click to expand the instruction you want to see: | Expand |
|---|
| title | 1. Install Google Authenticator |
|---|
| | Excerpt |
|---|
| Show If |
|---|
| | HTML |
|---|
<iframe src="https://drive.google.com/file/d/1fqXLWkOBLNz8SHwnlYhV_XIijAOo-zna/preview" width="640" height="480" allow="autoplay"></iframe> |
|
1 | On your iOS device (iPhone/iPad), open the App Store | Image Added
| 2 | At the bottom, click the Search icon | Image Added
| 3 | In the search field, type inGoogle Authenticator | Image Added
| 4 | Click Search | 5 | In the result, click Get or the Image Added icon for Google Authenticator | Image Added
| 6 | Once it is finished downloading. Click on Open and continue to 2. Setup MFA Token section of the instruction | Image Added
|
|
|
| Expand |
|---|
| | Show If |
|---|
| | HTML |
|---|
<iframe src="https://drive.google.com/file/d/17NI0adz46Ix7MX4Opxk5oze5yM40lSHL/preview" width="640" height="480" allow="autoplay"></iframe> |
|
1 | On a computer with internet access go to https://identity.lbl.gov/mfa. If you are prompted to log in with your Berkeley Lab Identity account, do so | no image | 2 | In the Multifactor Authentication (MFA) Management page,click Add an LBL token in the bottom left corner of the page | Image Added
| 3 | Select your preferred Authorization Method that is available to you using the drop-down menu: Be sure you have access to the Authorization Method you selected | Image Added
| 4 | Click Start | 5 | Provide the Authorization Code you received from Step 3 | Image Added
| 6 | Type in a Token Name you would like to use. For example: Pixel6 iphone12 Uranus Pizza
Note: the name acts as an identifier for you to know which device is the token on | 7 | Click Add Token | 8 | A QR code will appear | Image Added
| 9 | If you have not launched the Google Authenticator app, go ahead and launch the Google Authenticator app on your iPhone/iPad Note: If you do not have the Google Authenticator app installed, see previous section, 1. Install Google Authenticator section | Image Added
| | 10 | Select Use Authenticator without an account | Image Added
| 11 | Click the colorful plus icon at the bottom right or Get Started first then the colorful plus icon | Image Added
| 12 | Select Scan a QR code to activate the camera Note: you may be prompted to give Google Authenticator app permission to access your phone, follow the prompt to allow it | Image Added
| 13 | Point the camera at the QR code, and make sure you adjust the camera so the QR code is within the green indicator box. It will automatically scan the QR code and the new token for Lawrence Berkeley National Laboratory with a 6-digit code will appear in your Google Authenticator app on your phone | Image Added
| 14 | Click I have scanned the code | Image Added
| 15 | On the Multifactor Authentication (MFA) Management page, you will see your new token listed | Image Added
| 16 | You're done | no image |
|
|
| Card |
|---|
| label | Test Google Authenticator |
|---|
| | 16 | Your OTP dashboard should show all of your devices from which you will log into LBL's systems that require an OTP (including the one you just entered). Registration is complete now. | Image Removed | 17 | OPTIONAL: On the OTP homepage, you may verify if the | OTP is working by clicking on the "Test" link below your device's nickname. |
Image Removed Image Added
| 18| 2 | Enter the Google Authenticator's | time-sensitive OTP from your device into the "One-Time Password" field and click "Test Now". | Note, once the time has expired, the token will be invalid. | Note |
|---|
Only the newest OTP should be entered into the field for verification, expired codes will not work. |
| Image Modified
| 19| 3 | You should see a Success! You can test again or click "Done" message if successful. If there is a problem, you may restart the registration or call the help desk at x4357. | Image Modified
|
|
| Card |
|---|
| | Warning |
|---|
Ensure you have another form of MFA setup before removing a token. |
| 1 | Go to https://identity.lbl.gov/mfa/ and identify the device that you want to permanently stop using. | Note |
|---|
Ensure you have another form of OTP to use before removing your device. This does not remove the requirement for OTP on certain logins. |
| Image Added
| | 2 |
| 20 | OPTIONAL: On the OTP dashboard, you may click on "Delete" if you decide to permanently stop using the device to access LBL assets that require an OTP. | Image Removed | 21 | Click "Delete" to confirm the deletion. | Image Modified
|
22 | If you were using the Pledge application from Nordic Edge, you may uninstall it now. | |
|